14 Replies Latest reply on Apr 15, 2014 3:52 PM by cj!

    7100 question - restrict VLAN access

    tschupp New Member


      I want to create a 3 vlan in the 7100 but I don't want the traffic to have access to vlan's 1 & 2. How do I do this? Thanks

       

      Message was edited by: matt - updated title to reflect question

        • Re: 7100 question
          cj! Beta_User

          Hi tschupp:

           

          The 7100, like other AOS switches, can provide multiple Layer 2 VLANs and traffic will be inherently private to each VLAN, unless you also setup an IP interface for each VLAN and provide inter-VLAN routing.  This article provides a very good explanation about VLANs (Layer 2) and VLAN interfaces (Layer 3):  The difference between VLANs and VLAN interfaces

           

          If you merely create VLAN 3 without creating a VLAN interface (with IP address), then you're all set to achieve your goal.  Simply set some access ports for VLAN 3 and you'll have a separate network.

           

          However, if you plan to have an IP interface in VLAN 3, then the firewall must be enabled.  Interface vlan 3 (the ip interface) must be in a separate policy-class (security zone) from interface vlan 1 and 2.  The default behavior is for all traffic to be blocked between different security zones, so you must create firewall rules to allow any traffic between them you might want.  Here's a useful guide for setting up the firewall:   Configuring the Firewall (IPv4) in AOS

           

          Does that point you in the right direction?  Don't hesitate to follow up or ask for clarification!

           

          Best,

          CJ

            • Re: 7100 question
              cj! Beta_User

              I didn't think to also link to the Inter-VLAN Routing guide.  Great info:  Configuring InterVLAN Routing in AOS - Quick Configuration Guide

              1 of 1 people found this helpful
              • Re: 7100 question
                tschupp New Member

                The customer is putting in a wireless network in their building. They want to allow visitors to connect to the wifi so they have access to the web but not the local network. Vlans 1 & 2 use 10.10.10.xxx and 10.10.20.xxx. The 3rd vlan would use 10.10.200.xxx so since I am assigning these ip's I am guessing I need the vlan interface and should be able to only allow internet access through the firewall and block anything directed to the vlans 1 & 2?

                  • Re: 7100 question
                    cj! Beta_User

                    Right.  Create a new security zone (policy-class) and assign interface vlan 3 to it.  This is an IP interface.  You'll need a NAT overload policy (Internet Connection Sharing) to allow traffic from VLAN 3 to the Internet.  That's basically the gist of it.  Traffic from this new security zone to anywhere else will be blocked unless you were to add policies.

                     

                    If the 7100 will be a DHCP server for WiFi clients, then you'll need to allow traffic to the 7100 itself so that DHCP requests aren't blocked.  You don't want guests to be able to access the http/https/telnet/ssh management interfaces, so consider allowing only bootp/dhcp (I think just UDP 67) from 10.10.200.0/24 to self.  This is describing a policy/rule you'll add to the new security zone.

                     

                    Does that help?  I recommend thorough testing afterward. 

                      • Re: 7100 question
                        tschupp New Member

                        I must be doing something wrong. I can surf but I can still ping a phone on 10.10.20.5 from an ip on vlan 3.

                        This is in the GUI

                        Policy Action-NAT

                        Destination security zone- any security zone

                        interface- eth 0/0

                          • Re: 7100 question
                            cj! Beta_User

                            Maybe try to change destination zone to your public/outside zone.  Sorry--don't meant to throw random suggestions at you.    If you prefer to attach your config, it might be productive.  Just be sure to sanitize it and expunge sensitive info.  Definitely passwords, pre-shared keys, WiFi passwords (as applicable).  You might want to remove phone numbers too, and anything you don't want the world to see.

                            1 of 1 people found this helpful
                              • Re: 7100 question
                                tschupp New Member

                                That seems to be working now thanks but explain the bootp/dhcp further.

                                I have a policy that allows NAT to the public security zone and a traffic selector of permit any.

                                I have a policy that allows self bound traffic with a traffic selector of permit any.

                                Where would I put the info for UDP 67?

                                  • Re: 7100 question
                                    cj! Beta_User

                                    I'm a little rusty in the GUI (it's a fantastic interface; I should spend more time there).  I think you edit the policy so that source network is any; source port any.  Destination network any; destination port UDP 67 (bootps).  You can get to these granular settings by clicking the "Permit" line in the list of selectors.

                                     

                                    CJ

                                    1 of 1 people found this helpful
                                      • Re: 7100 question
                                        tschupp New Member

                                        I am new to the board and couldn't figure out how to add an attachment. So here it is.
                                        !
                                        !
                                        ! ADTRAN, Inc. OS version R10.11.0.HA.E
                                        ! Boot ROM version A2.06.B2.01
                                        ! Platform: NetVanta 7100, part number 1200796E1
                                        ! Serial number LBADTN1206AF838
                                        !
                                        !

                                        clock timezone -6-Central-Time
                                        !
                                        ip subnet-zero
                                        ip classless
                                        ip routing
                                        ipv6 unicast-routing
                                        domain-name
                                        domain-proxy
                                        name-server 10.72.53.75 8.8.8.8
                                        !
                                        !
                                        no auto-config
                                        !
                                        event-history on
                                        no logging forwarding
                                        no logging email
                                        !
                                        no service password-encryption
                                        !
                                        portal-list "phones" ftp
                                        !

                                        !
                                        !
                                        ip firewall
                                        ip firewall stealth
                                        no ip firewall alg msn
                                        no ip firewall alg mszone
                                        no ip firewall alg h323
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        no dot11ap access-point-control
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        ip dhcp database local
                                        !
                                        ip dhcp pool "LAN_pool"
                                          network 10.10.10.0 255.255.255.0
                                          dns-server 10.10.10.1
                                          netbios-node-type h-node
                                          default-router 10.10.10.1
                                          tftp-server tftp://10.10.10.1
                                          ntp-server 10.10.10.1
                                          timezone-offset -6:00
                                          option 157 ascii TftpServers=0.0.0.0,FtpServers=10.10.20.1:/ADTRAN,FtpLogin=po
                                        lycomftp,FtpPassword=password,Layer2Tagging=True,VlanID=2
                                        !
                                        ip dhcp pool "VoIP_pool"
                                          network 10.10.20.0 255.255.255.0
                                          dns-server 10.10.20.1
                                          netbios-node-type h-node
                                          default-router 10.10.20.1
                                          tftp-server tftp://10.10.20.1
                                          ntp-server 10.10.20.1
                                          timezone-offset -6:00
                                          option 157 ascii TftpServers=0.0.0.0,FtpServers=10.10.20.1:/ADTRAN,FtpLogin=po
                                        lycomftp,FtpPassword=password,Layer2Tagging=True,VlanID=2
                                        !
                                        ip dhcp pool "Test 1"
                                          network 10.10.200.0 255.255.255.0
                                          dns-server 10.10.200.1
                                          default-router 10.10.200.1
                                          tftp-server tftp://10.10.200.1
                                          ntp-server 10.10.200.1
                                          timezone-offset -6:00
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        vlan 1
                                          name "Default"
                                        !
                                        vlan 2
                                          name "VoIP"
                                        !
                                        vlan 3
                                          name "Test 1"
                                        !
                                        !
                                        interface eth 0/0
                                          description  Uplink
                                          ip address dhcp hostname
                                          ip access-policy Public
                                          media-gateway ip primary
                                          no awcp
                                          no shutdown
                                          no lldp send-and-receive
                                        !
                                        !
                                        interface eth 0/1
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport access vlan 3
                                        !
                                        !
                                        interface eth 0/2
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/3
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/4
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/5
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/6
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/7
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/8
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/9
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/10
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/11
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/12
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/13
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/14
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/15
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/16
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/17
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/18
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/19
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/20
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/21
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/22
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/23
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface eth 0/24
                                          spanning-tree edgeport
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        !
                                        interface gigabit-eth 0/1
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        interface gigabit-eth 0/2
                                          no shutdown
                                          switchport mode trunk
                                        !
                                        !
                                        !
                                        !
                                        interface vlan 1
                                          ip address  10.10.10.1  255.255.255.0
                                          ip access-policy Private
                                          media-gateway ip primary
                                          no shutdown
                                        !
                                        interface vlan 2
                                          ip address  10.10.20.1  255.255.255.0
                                          ip access-policy Private
                                          media-gateway ip primary
                                          no shutdown
                                        !
                                        interface vlan 3
                                          description Test 1
                                          ip address  10.10.200.1  255.255.255.0
                                          ip mtu 1500
                                          ip access-policy "test 1"
                                          media-gateway ip primary
                                          no awcp
                                          no shutdown
                                        !
                                        !
                                        interface fxs 0/1
                                          description
                                          no shutdown
                                        !
                                        interface fxs 0/2
                                          description
                                          no shutdown
                                        !
                                        !
                                        interface fxo 0/1
                                          impedance 900r
                                          no shutdown
                                        !
                                        interface fxo 0/2
                                          description
                                          impedance 900r
                                          no shutdown
                                        !
                                        isdn-number-template 1 prefix "" subscriber NXX-XXXX
                                        isdn-number-template 2 prefix "" national NXX-NXX-XXXX
                                        isdn-number-template 3 prefix 011 international X$
                                        isdn-number-template 4 prefix "" unknown NXX
                                        isdn-number-template 5 prefix "" unknown NXXX
                                        isdn-number-template 6 prefix 1 national NXX-NXX-XXXX
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        ip access-list standard NAT
                                          remark Internet Connection Sharing
                                          permit any
                                        !
                                        ip access-list standard wizard-ics
                                          remark NAT list wizard-ics
                                          permit any log
                                        !
                                        !
                                        ip access-list extended Admin
                                          remark Admin Access
                                          permit tcp any  any eq https   log
                                          permit tcp any  any eq ssh   log
                                          permit tcp any  any eq www   log
                                          permit tcp any  any eq telnet   log
                                          permit icmp any  any  echo   log
                                        !
                                        ip access-list extended InterVLAN
                                          remark Voice / Data VLAN Traffic
                                          permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255
                                          permit ip 10.10.20.0 0.0.0.255  10.10.10.0 0.0.0.255
                                        !
                                        ip access-list extended self
                                          remark Traffic to NetVanta
                                          permit ip any  any     log
                                        !
                                        ip access-list extended web-acl-11
                                          remark admin
                                          permit tcp 204.87.167.104 0.0.0.3  any eq www   log
                                          permit tcp 204.87.167.104 0.0.0.3  any eq telnet   log
                                          permit tcp 204.87.167.104 0.0.0.3  any eq ssh   log
                                          permit tcp 204.87.167.104 0.0.0.3  any eq ftp   log
                                        !
                                        ip access-list extended web-acl-15
                                          permit ip any  any     log
                                        !
                                        ip access-list extended web-acl-4
                                          remark admin
                                          permit tcp 204.87.167.104 0.0.0.3  any eq www   log
                                          permit tcp 204.87.167.104 0.0.0.3  any eq telnet   log
                                          permit tcp 204.87.167.104 0.0.0.3  any eq ssh   log
                                          permit tcp 204.87.167.104 0.0.0.3  any eq ftp   log
                                        !
                                        ip access-list extended web-acl-7
                                          permit ip any  any
                                        !
                                        !
                                        !
                                        !
                                        ip policy-class Private
                                          allow list self self
                                          nat source list wizard-ics interface eth 0/0 overload
                                        !
                                        ip policy-class Public
                                          allow list web-acl-11 self
                                        !
                                        ip policy-class "test 1"
                                          nat source list wizard-ics interface eth 0/0 overload policy Public
                                          allow list web-acl-15 self
                                        !
                                        !
                                        !
                                        tftp server
                                        tftp server overwrite
                                        tftp server default-filesystem cflash
                                        http server
                                        http secure-server
                                        no snmp agent
                                        ip ftp server
                                        ip ftp server default-filesystem cflash
                                        no ip scp server
                                        ip sntp server
                                        ip sntp server send-unsynced
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        sip
                                        sip udp 5060
                                        sip tcp 5060
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !
                                        !

                                          • Re: 7100 question
                                            cj! Beta_User

                                            I would add an ACL (AOS uses access-lists only to match traffic, not to take action; we'll use this ACL in a policy later):

                                            !

                                            ip access-list extended guest-dhcp

                                              remark guest-dhcp

                                              permit udp any  any eq bootps

                                            !

                                            Then edit the Private policy-class (note the policy to allow traffic between the two VLANs in the Private zone):

                                            !

                                            ip policy-class Private

                                              allow list self self

                                              allow list InterVLAN policy Private

                                              nat source list wizard-ics interface eth 0/0 overload policy Public

                                            !

                                            Last, the "test 1" zone:

                                            !

                                            ip policy-class "test 1"

                                              allow list guest-dhcp self

                                              nat source list wizard-ics interface eth 0/0 overload policy Public

                                            !

                                            Significant points:

                                            • policy-classes (security zones) block everything (ingress) by default; allow/NAT through only what you need
                                            • policy-classes are processed top-down--this is critical
                                              • The NAT overload (ICS) policy should be last, normally, because it will match everything if first

                                             

                                            Cheers,

                                            CJ

                                            1 of 1 people found this helpful